This message was deleted.
# getting-starteds
sparse-intern-71089
08/22/2022, 12:57 PMThis message was deleted.
s
stocky-restaurant-98004
08/22/2022, 12:59 PMYou do need to be an admin to create an org token, per: https://www.pulumi.com/docs/intro/pulumi-service/organization-access-tokens/
f
fresh-musician-40418
08/22/2022, 1:07 PMThank you for confirming @stocky-restaurant-98004 🙏
youre welcome 1
c
crooked-notebook-49997
08/22/2022, 4:02 PMDocs say "Organization tokens are available on trials, and Enterprise and Business Critical subscriptions." We are on a trial but will eventually be on Team pricing, not Enterprise or Business Critical at this time.
crooked-notebook-49997
08/22/2022, 4:08 PMBest practice, regardless of Org size would seem to be to have Org Tokens, but if that is a restriction to only enterprise teams, that would seem to force us to use a workaround like a shared account, but is not great security. Or is there an alternative or something we're missing?
l
little-cartoon-10569
08/22/2022, 10:56 PMYou can use a non-shared CI account.
c
crooked-notebook-49997
08/23/2022, 6:09 PM@stocky-restaurant-98004 Can you confirm Org Tokens are not available on Team accounts after the trial ends?
crooked-notebook-49997
08/23/2022, 6:13 PM@little-cartoon-10569 Could you elaborate? We do have the Pulumi app installed and configured in GitHub.
s
stocky-restaurant-98004
08/23/2022, 8:15 PM@crooked-notebook-49997 That's correct - they will no longer be available once the trial ends.
c
crooked-notebook-49997
08/23/2022, 8:16 PMSo what would be the recommendation in that case for configuring access without personal tokens?
l
little-cartoon-10569
08/23/2022, 8:35 PM@crooked-notebook-49997 I think it's what you meant when you said "a workaround like a shared account". Just, don't share it. There's no need for anyone to use it once it's created and set up in CI. The creds remain in a vault and no one ever logs in as it.
c
crooked-notebook-49997
08/23/2022, 8:37 PMSo we have such an account we use for CD in other scenarios, I say its a shared account but in reality we do not share the creds and we do not want to. So while I have access, @fresh-musician-40418 does not, and he is setting up Pulumi.
l
little-cartoon-10569
08/23/2022, 8:39 PMIs this your current problem?
• Limited number of accounts (3, iirc).
• 1 needs to be admin (you).
• 1 needs to be CI.
• You have 15 other infra devs.
We have this with one project. It is the ultimate push towards gitops! 🙂
c
crooked-notebook-49997
08/23/2022, 8:40 PMYup, I think so, more of less.
l
little-cartoon-10569
08/23/2022, 8:40 PMOur solution was a for dev envs to use local / private state, and only CI to use the Pulumi service. It's not awesome, but it forces excellent practices with things like project and stack naming. And in our case, the problem went away just after we got everything working acceptably, because the company saw how useful Pulumi was and upgraded us.
c
crooked-notebook-49997
08/23/2022, 8:41 PM• 1 Me (Admin in GH and Pulumi)
• 1 CI (Admin in GH and Pulumi)
• 4-5 Devs
crooked-notebook-49997
08/23/2022, 8:46 PM3 shared environments and corresponding branches: Dev, Stage, Prod. Plus, each developer has their own environment (AWS) (and branch). Desire is to manage/store Pulumi State Files in Pulumi (vs. local or S3).
l
little-cartoon-10569
08/23/2022, 8:49 PMCI doesn't need to be admin...
little-cartoon-10569
08/23/2022, 9:00 PMThe only way to achieve that on the lower-tier plans and prevent shared credentials is to not give devs direct access to Pulumi and require everything to do done via GH. Dev envs can be managed just like stage / prod etc. Only the CI user does any real deployments.
c
crooked-notebook-49997
08/23/2022, 9:03 PMAlright. All good advice and help. We'll continue and see where we end up. Thanks!
3 Views